Data Privacy Policy According to the Provisions of the GDPR

Name and address of the controller

The controller for the purposes of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

Hotel Valavier GmbH
Mühledörfle 25
A-6708 Brand / Vorarlberg / Austria

T +43 5559 217
E servus@valavier.at

UID: ATU 643 23 057 | FN 310957s

Name and address of the data protection officer

The controller's data protection officer is:

Rights of the data subject

If your personal data is processed, you are the data subject within the meaning of GDPR and you have the following rights against the controller:

1. Right to information

You may ask the controller to confirm if personal data concerning you is processed by us.
If such processing is being carried out, you can request information from the controller about the following:

1. the purposes for which the personal data is processed;
2. the categories of personal data being processed;
3. the recipient or categories of recipients who have received or will receive the personal data concerned;
4. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
5. the existence of the right to rectification or erasure of personal data or the right to restriction of processing by the controller or the objection to this processing;
6. the right to lodge a complaint with a supervisory authority;
7. all available information about the origin of the data when personal data is not collected from the data subject;
8. the existence of automated decision-making, including profiling, referred to in Article 22 par. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information about whether your personal data is transferred to a third country or an international organisation. In this context, you can request the appropriate guarantees according to Article 46 GDPR in connection with the transfer.

2. Right to rectification

You have a right against the controller to rectification and/or completion, if your personal data processed is incorrect or incomplete. The controller must make the correction immediately.

3. Right to the restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
3. the controller no longer needs the personal data for the purposes of processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or
4. you have objected to processing pursuant to Article 21 par. 1 GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If restriction of processing has been obtained pursuant to the conditions set out above, you shall be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation of erasure

You can demand the controller delete your personal data without delay, and the controller is required to delete that information immediately if one of the following applies:

1. Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You revoke your consent to the processing pursuant to Article 6 par. 1 p. 1 lit. a or Article 9 par. 2 lit. a GDPR and there is no other legal basis for processing.
3. You oppose the processing according to Article 21 par. 1 GDPR and there are no overriding justifiable reasons for the processing, or you oppose the processing according to Article 21 par. 2 GDPR.
4. Your personal data was unlawfully processed.
5. The deletion of your personal data is required to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
6. Your personal data was collected in relation to information society services offered pursuant to Article 8 par. 1 GDPR.

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged to delete it according to Article 17 par. 1 GDPR, the controller shall, taking into account available technology and implementation costs, take appropriate measures, including technical means, to inform data controllers who process your personal data that you as data subject have requested all links to such personal data, or copies or replications of such personal data, to be deleted.

c) Exceptions

The right to erasure does not exist if the processing is necessary:

1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 par. 2, as well as Article 9 par. 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 par. 1 GDPR insofar as the right referred to in item a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.

5. Right to be informed

If you have the right of rectification, erasure or restriction of processing against the controller, he/she is obliged to notify all recipients to whom your personal data has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have a right against the controller to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:

1. the processing is based on consent pursuant to Article 6 par. 1 p. 1 lit. a GDPR or Article 9 par. 2 lit. a GDPR or on a contract pursuant to Article 6 par. 1 p. 1 lit. b GDPR, and
2. the processing is carried out by automated means.

In exercising this right, you shall have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons may not be affected by this right.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority which has been delegated to the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 par. 1 lit. 2 or f GDPR; this is also valid for profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

You may, in the context of the use of information society services – notwithstanding Directive 2002/58/EC – exercise your right to object by automated means using technical specifications.

8. Right to revoke the data protection declaration of consent

You have the right to revoke your data protection declaration of consent at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the existence of consent prior to consent being revoked.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

1. is necessary for entering into or performance of a contract between you and the controller;
2. is authorised by Union or Member State law to which the controller is subject and which also lays out suitable measures to safeguard your rights and freedoms and legitimate interests; or
3. is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Article 9 par. 1 GDPR unless Article 9 par. 2 lit. a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases named in (1) and (3), the controller shall take appropriate measures to uphold the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a person by the controller, to express his/her own position and to challenge the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement if you consider the processing of your personal data to infringe the GDPR.

The supervisory authority with which the complaint is lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

General information on data processing

1. Scope of the processing of personal data

In principle, we process our users’ personal data only to the extent necessary to provide a functioning website and our content and services. The processing of users’ personal data takes place regularly only with the consent of the user. An exception applies in cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

2. Legal basis for processing personal data

Insofar as we obtain the consent of the data subject for processing of personal data, Article 6 par. 1 p. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as legal basis.

Article 6 par. 1 p. 1 lit. b GDPR serves as legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is a party. This also applies to processing required to carry out pre-contractual measures.

Insofar as processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6 par. 1 p. 1 lit. c GDPR serves as legal basis.

In cases where the vital interests of the data subject or another natural person require the processing of personal data, Article 6 par. 1 p. 1 lit. d GDPR serves as legal basis.

If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interest, fundamental rights and freedoms of the data subject do not prevail over the first interest, Article 6 par. 1 p. 1 lit. f GDPR serves as legal basis for the processing.

3. Deletion of data and storage period

The data subject’s personal data shall be deleted or blocked as soon as the purpose of the storage no longer applies. In addition, such storage may occur when provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also occurs when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the system of the computer accessing the website.
The following data is collected here:

1. Information about the type of browser and version used
2. The user’s operating system
3. The user’s Internet Service Provider
4. The user’s IP address
5. Date and time of access
6. Websites from which the user’s system accesses our website
7. Websites accessed by the user’s system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data relating to the user.

2. Legal basis for the processing of data

The legal basis for temporary storage of the data and log files is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow delivery of the website to the user’s computer. For this, the user’s IP address must be kept for the duration of the session.

Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. Evaluation of the data for marketing purposes does not take place in this context.

For these purposes, our legitimate interest is in the processing of data pursuant to Article 6 par. 1 p. 1 lit. f GDPR.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In cases of data collection for the provision of the website, this is the case when the respective session is completed.

In the case of storing the data in log files, this is after no more than seven days. Further storage is possible. In this case, the user's IP address is deleted or distorted to ensure it is no longer possible to identify the client.

5. Means of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no means of objection on the part of the user.

Use of Cookies

a) Description and scope of data processing

Our website uses Cookies. Cookies are text files that are saved onto the Internet browser or by the Internet browser on the computer system of the user. If a user visits a website, a Cookie can be saved on the user’s operating system. This Cookie contains a characteristic string that allows the browser to be uniquely identified when the website is revisited.

We use Cookies to make our website more user-friendly. Some elements on our website require that the requesting browser be identified even after a change in pages.

The following data is saved and transmitted in the Cookies:

Language settings

Items in shopping cart

Log-In informations

We also use Cookies on our website that allow the user’s surfing habits to be analysed.

This allows the following data to be transmitted:

1. Entered search terms
2. Frequency of page views
3. Use of website functions

The user data collected in this way is pseudonymised by technical means. Thus, it is no longer possible to assign the data to the user. The data will not be stored together with other personal data relating to the user.
When accessing our website, users are informed of the use of Cookies for analysis purposes by means of an informational banner and are referred to this privacy policy. In this context, there is also information on how to prevent the storage of Cookies in your browser settings.

b) Legal basis for the processing of data

The legal basis for the processing of personal data using Cookies is Article 6 par. 1 p. 1 lit. f GDPR.

c) Purpose of data processing

The purpose of using technically essential Cookies is to simplify the use of websites for users. Some features of our website cannot be offered without the use of Cookies. For these, it is necessary that the browser is recognised even after a change of pages.

We require Cookies for the following application(s):

1. Acceptance of language setting
2. Shopping cart

The use of the analysis Cookies is for the purpose of improving the quality of our website and its contents. Through the analysis Cookies, we learn how the website is used and thus can continue to optimise our offer.

For these purposes, our legitimate interest is in the processing of personal data pursuant to Article 6 par. 1 p. 1 lit. f GDPR.

d) Duration of storage, means of objection and removal

Cookies are saved on the user’s computer and are transmitted by the computer to our site. Therefore, as a user, you have full control over the use of Cookies. By changing settings on your Internet browser, you can deactivate or restrict the transfer of Cookies. This can also be done automatically. If Cookies are deactivated for our website, it may not be possible to use all features of the website to full effect.

The transmission of Flash Cookies cannot be prevented in the browser settings, but by changing settings of your Flash Player.

Newsletter

1. Description and scope of data processing

On our website you can subscribe to a free newsletter. When registering for our newsletter, the following data from the input mask will be sent to us:

Email address
Surname
First name
Interests
P address of the calling computer
Date and time of registration

Data is not disclosed to third parties in connection with the processing of data for the sending of newsletters. The data will be used exclusively for sending the newsletter.

2. Legal basis for the processing of data

The legal basis for the processing of data after a user registers and gives consent for our newsletter is Article 6 par. 1 p. 1 lit. a GDPR.

3. Purpose of data processing  

The user’s email address is collected in order to deliver the newsletter.
The collection of other personal data in the context of the registration process serves to prevent misuse of the services or the email address used.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The user’s email address is therefore stored as long as the subscription to the newsletter is active.

The other personal data collected during the registration process will typically be deleted after a period of seven days.

5. Means of objection and removal

Subscription to the newsletter may be terminated by the user at any time. To do so, a corresponding link can be found in each newsletter.

This also allows consent to the storage of the personal data collected during the registration process to be revoked.

Gäste-Club Software

This website uses KunLeiSys Gäste-Club Software (regular guest area). The provider is GASTROpoint GmbH, Pommernstraße 17, 83395 Freilassing, Germany. KunLeiSys Gäste-Club Software is a service with which the guest club, offers, loyalty points, emails about events and newsletter sending are organised and managed. We use data entered for the purpose of using the respective offer or service. The required information requested during registration must be given in full. Otherwise, we must reject the registration. The processing of the data entered during registration is done on the basis of your consent (Article 6 par. 1 lit. a GDPR). You can revoke your consent at any time for free. You can do this via the unsubscribe link in the email or using the deregister option in the guest club. The data entered by you for the purpose of the guest club will be stored by us until you deregister, and deleted from both our servers and from the servers of GASTROpoint GmbH after you logoff and delete your guest club account. For important changes, for example, in the scope of the offer or in the case of technically necessary changes, we will use the email address provided at the time of registration or in your profile to inform you. Legal retention periods remain unaffected. We have concluded a contract for contract data processing with GASTROpoint GmbH and fully implement the strict requirements of the data protection authorities when using KunLeiSys Gäste-Club Software.

Online booking on our website

1. Description and scope of data processing

On our website you have the possibility to book and/or inquire rooms and offers. If a user uses this option, the data entered in the input mask will be transmitted to us and saved. This data is: title, first name, surname, email address, telephone number, address, number of guests, requests, date, time.

Online bookings via our website are completed using the online reservation system of websLINE Internet- & Marketing GmbH, Sägewerkstrasse 24, 83395 Freilassing, Germany. All booking data you enter shall be encrypted. websLINE commits to the data privacy-appropriate handling of your personal data. The company takes all organisational and technical measures to protect your data.

In this context, no further transfer of your data to third parties takes place. The data is used exclusively for processing your booking and for communication purposes.

2. Legal basis for the processing of data

The legal basis for the processing of the data is the conclusion of an accommodation contract with the user.

3. Purpose of data processing

The processing of personal data from the input mask serves solely to process your booking request and to process payment transactions.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of a contractual relationship, we will delete the data received as soon as national, commercial, statutory or contractual retention requirements have been met.

5. Means of objection and removal

The user has the option to object to the processing of their personal data at any time.

We would like to point out that in the case of objection, the booking cannot be completed or the communication cannot be continued

Online bookings via other websites

1. Description and scope of data processing

Interested parties have the option to book rooms and make other arrangements via hotel reservation portals (third parties). If a user uses this option, the data entered in the input mask will be transmitted to us and saved to the extent permitted by the respective hotel reservation portal according to its own privacy policy. This data can include: first name, surname, email address, telephone number, address, number of guests, estimated time of arrival, requests, payment information (credit card).

The data provided is received via a so-called channel manager in our hotel software. All booking data received is encrypted. Seekda GmbH, Neubaugasse 10/15, A-1070 Vienna, Austria is the provider of the channel manager and has committed to data privacy-appropriate handling of transmitted personal data. It takes all organisational and technical measures to protect your data.

In this context, no further transfer of your data to third parties takes place. The data is used exclusively for processing your booking and for communication purposes.

2. Legal basis for the processing of data

The legal basis for the processing of the data is the conclusion of an accommodation contract with the user.

3. Purpose of data processing

The processing of personal data from the input mask serves solely to process your booking request and to process payment transactions.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of a contractual relationship, we will delete the data received as soon as national, commercial, statutory or contractual retention requirements have been met.

Hotel Esplanade Resort & Spa has no influence on the retention periods of the respective hotel reservation portal. 

5. Means of objection and removal

The user has the option to object to the processing of their personal data at any time.

We would like to point out that in the case of objection, the booking cannot be completed or the communication cannot be continued.

Purchasing vouchers via our website

1. Description and scope of data processing

On our website there is the option to purchase vouchers. If a user uses this option, the data entered in the input mask will be transmitted to us and saved. This data is: title, first name, surname, address, email address, telephone number, voucher amount, personalisation of the voucher, shipping options/alternative shipping address, method of payment.

Voucher purchases on our website go through the online ordering system of websLINE Internet- & Marketing GmbH, Sägewerkstrasse 24, 83395 Freilassing, Germany. All order data you enter shall be encrypted. websLINE commits to the data privacy-appropriate handling of your personal data. The company takes all organisational and technical measures to protect your data.

In this context, no further transfer of your data to third parties takes place. The data is used exclusively for processing your booking and for communication purposes.

2. Legal basis for the processing of data

The legal basis for the processing of the data is the conclusion of a contract of sale with the user.

3. Purpose of data processing

The processing of personal data from the input mask serves solely to process your voucher purchase and to process payment transactions.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of a contractual relationship, we will delete the data received as soon as national, commercial, statutory or contractual retention requirements have been met.

5. Means of objection and removal

The user has the option to object to the processing of their personal data at any time.

Table reservations

1. Description and scope of data processing

On our website there is the option to book a table in our restaurant. If a user uses this option, the data entered in the input mask will be transmitted to us. This data is: title, first name, surname, email address, telephone number, table reservation information (day, time, number of guests, restaurant).

Table reservations on our website go through the online reservation system of Bookatable GmbH & Co. KG, Deichstraße 48-50, D-20459 Hamburg, Germany. All data you enter shall be encrypted. Bookatable commits to the data privacy-appropriate handling of your personal data. Bookatable takes all organisational and technical measures to protect your data.

In this context, no further use or transfer of your data to third parties takes place.

2. Legal basis for the processing of data

The legal basis for the processing of the data is firstly our legitimate interest in the processing of data, as well as the consent of the user by acknowledging our conditions for data processing.

3. Purpose of data processing

The processing of personal data serves solely to book your table.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection.

5. Means of objection and removal

The user has the option to object to the processing of their personal data at any time.

Applying for employment in our company

1. Description and scope of data processing

You have the opportunity to apply for a job vacancy or to send us an unsolicited application. You can do so by email or on paper. You can access our job vacancies on our website. If you take this opportunity, we will store general information about you in our administration program. This data is:

• Title
• First name, surname
• Address
• Date of birth
• Email address
• Telephone number
• Date of application
• Position applied for
• Department applied for
• Method of application (by email, HotelCareer, HogastJobbörse job portal, mail)

In addition, we may forward your application internally to the responsible department head. In this context, your data is not further transferred to third parties. The data will be used exclusively for processing your application and for communication purposes.

2. Legal basis for the processing of data

The legal basis for the processing of the data is the initiation of the contract or contractual relationship.

3. Purpose of data processing

The processing of personal data serves solely to process your application.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection.

5. Means of objection and removal

You as an applicant have the option to object to the processing of your personal data at any time.

We would like to point out that in the case of objection, your application cannot be completed and communication cannot be continued.

Online reviews

1. Description and scope of data processing

Former guests can submit a review of our hotel after they check-out. We would therefore like to send you an email within 14 days of your departure to ask you for a hotel review. Each evaluation can be published anonymously if requested. If you did not feel comfortable in our hotel, we would like to take the opportunity to contact you.

If you submit an online review via our website, your data will be saved in the rating tool of TrustYou GmbH, Agnes-Pockels-Bogen 1, D-80992 Munich, Germany. TrustYou GmbH commits to the data privacy-appropriate handling of your personal data. It takes all organisational and technical measures to protect your data.

If a former guest makes an online review, data from the former guest is stored in the evaluation mask. This data is: email address, as well as voluntary information such as first name, surname, language as well as information for the review.

In this context, no further transfer of the data to third parties takes place. The data will only be used to publish the rating and to mediate in cases of poor ratings.

2. Legal basis for the processing of data

The legal basis for processing the data is also our legitimate interest in data processing.

3. Purpose of data processing

The purpose of the hotel review is to communicate and summarise the opinions of hotel guests on our website in order for interested parties to get an idea of our services. In addition, the results support our internal quality management.

4. Duration of storage

The data is not deleted.

5. Means of objection and removal

The user has the option to have their published review deleted (right to be forgotten) at any time. Please simply tell us which review is concerned.

Contact forms and email contact

1. Description and scope of data processing

Our website includes a contact form that can be used for electronic communication. If a user uses this option, the data entered in the input mask is transferred to us and saved. For the processing of the data in the context of the submission process, your consent shall be obtained and we hereby expressly refer you to this privacy statement.
Alternatively, you can make contact via the email address provided. In this case, the user’s personal data transmitted by email will be stored.
In this context, there is no disclosure of the data to third parties. The data is used exclusively for processing the conversation.

2. Legal basis for the processing of data

The basis of processing data with the user’s explicit consent is Article 6 par. 1 p. 1 lit. a GDPR.
The legal basis for the processing of the data transmitted in the course of sending an email is Article 6 par. 1 p. 1 lit. f GDPR. If the email contact is intended to conclude a contract, then additional legal basis for the processing is Article 6 par. 1 p. 1 lit. b GDPR.

3. Purpose of data processing

The processing of the personal data from the input mask serves only to process the establishment of contact. In the case of contact via email, this also includes the required legitimate interest in the processing of the data.
The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data from the input mask of the contact form and data sent by email, this is when the respective conversation with the user has ended. The conversation has ended when it can be inferred from the circumstances that the relevant facts have been clarified in full.
The additional personal data collected during the submission process will be deleted after a period of seven days at latest.

5. Means of objection and removal

The user has the option to revoke their consent to the processing of their personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. In such cases, communication cannot continue.

Use of Facebook Pixel

1. Scope of processing of personal data

We use “Facebook Pixel” from the social network Facebook, Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, United States; or, if you are an EU resident, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With this analysis tool, Facebook can choose users of our website as the target group for the display of ads.

2. Legal basis for the processing of personal data

The legal basis for the processing of personal data is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

The use of Facebook Pixel serves to evaluate the effectiveness of Facebook advertisements for statistical and market research purposes. As a result, future advertising measures can be optimised.

4. Duration of storage

We have no information about the duration of storage.

5. Means of objection and removal

The collected data remain anonymous for us. It is saved and processed by Facebook. There is a possibility that a connection to your Facebook profile can be made. Facebook may use this information for its own promotional purposes under the Facebook Data Use Policy (https://www.facebook.com/about/privacy/). If you do not want Facebook to associate the use of our website with your Facebook profile, then please log out of your Facebook user account. You can object to collection of data by Facebook Pixel and the use of your data for the display of Facebook ads by clicking the following link.

You can also object to the use of Facebook Pixel using our opt-out link:

Use of Facebook plugins

1. Scope of processing of personal data

We use the plugins of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, United States; or, if you are an EU resident, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Activating this plugin creates a connection between your browser and the Facebook server, allowing Facebook to learn that you visit our website with your IP address. Additionally, Facebook receives information about the date, time, browser type and version, operating system and version, and Facebook Cookies previously set on your browser. From this, Facebook can recognise which websites with Facebook content you were on. The plugin is part of Facebook and will only be displayed on our site. Any interaction with the plugin is an interaction on "facebook.com".

If you are signed into Facebook, your Facebook registration number is transmitted when the plugin is activated. The visit to our website can therefore be connected to your Facebook account. Depending on the settings of your Facebook account, clicking the plugin will be published on Facebook. You can prevent this by signing out of your Facebook account before you activate the plugin and deleting all Facebook Cookies after visiting websites with Facebook plugins.

2. Legal basis for the processing of personal data

The legal basis for processing is Article 6 par. 1 p. 1 lit. a GDPR.

3. Purpose of data processing

Facebook processes this data to find errors in its own system, to improve its own products and their adaptation to user behaviour, to monitor, place and individualise advertising. In addition, the processing also serves the purposes of localisation, recording of the way websites with Facebook content are used, and for the purpose of market research.

4. Duration of storage

According to their own information, Facebook stores the data for up to 90 days. After this the data is only used in anonymised form.

5. Means of objection and removal

Find more information about the use and collection of data in Facebook's privacy policy: https://facebook.com/about/privacy/.

Use of Google AdWords

1. Scope of processing of personal data

Our website uses Google AdWords from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. This is an online advertising program that uses conversion tracking. When you reach our website via a Google Ad, Google AdWords places a Cookie on your computer. Each Google AdWords customer will be assigned a different Cookie.

2. Legal basis for the processing of personal data

The legal basis for processing is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

We only receive information about the total number of users who respond to our ad. No information will be shared with us that allows us to identify you. The use is not for purposes of traceability.

4. Duration of storage

The Cookie becomes invalid after 30 days.

5. Means of objection and removal

You can stop Google conversion tracking by turning off tracking in your browser. Find more information by visiting https://policies.google.com/privacy?hl=en

Use of Google Analytics

1. Scope of processing of personal data

Our website uses Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States ("Google"). Google Analytics uses Cookies, text files that are saved onto your computer and allow the use of our website to be analysed. The information generated by the Cookie about your use of this website is transmitted to a Google server in the USA and saved there. However, if IP anonymisation is activated on this website, your IP address will be shortened by Google beforehand within member states of the European Union or other signatories to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. IP anonymisation is active on this website. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, compile reports on website activity and provide other services related to website activity and Internet usage to the website operator. The IP address provided by Google Analytics as part of Google Analytics will not be merged with other Google data. You can prevent the storage of Cookies by activating a corresponding setting on your browser software; however, we point out that in this case you may not be able to use all the features of our website in full.

2. Legal basis for the processing of personal data

The legal basis for the processing is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

The purpose of the processing of personal data is in the targeted approach of a target group that has already shown initial interest by visiting the page.

4. Duration of storage

Advertisement data in server logs is anonymised by Google, according to their own information, by deleting parts of the IP address and Cookie information after 9 or 18 months.

5. Means of objection and removal

You may additionally prevent Google from collecting the data generated by the Cookie and related to your use of the website (including your IP address), as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Find more information by visiting https://policies.google.com/privacy?hl=en.

Use of Google Analytics Remarketing

1. Scope of personal data processing

Our website uses the remarketing feature of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Together with Google, we offer you appropriate and interest-based advertisements. Google Analytics Remarketing uses Cookies. These are saved on your computer. According to information from Google, this does not involve any collection of personal data. According to Google's information, no connection to other Google services is made.

2. Legal basis for the processing of personal data

The legal basis for the processing is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

The purpose of the processing of the personal data is to directly address a target group. The Cookies stored on your computer recognise you when you visit a website and can therefore show you interest-based advertising.

4. Duration of storage

Advertisement data in server logs is anonymised by Google, according to their own information, by deleting parts of the IP address and Cookie information after 9 or 18 months.

5. Means of objection and removal

You can prevent the use of the Remarketing feature by activating the appropriate settings at the following link: https://adssettings.google.com/authenticated?hl=en.
Find information by visiting: https://policies.google.com/privacy?hl=en.

Use of Google Maps Plugin

1. Scope of personal data processing

Our website uses the online map service Google Maps from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. By using Google Maps on our website, information about the use of our website, your IP address and address entered in the route planner feature are transmitted to a Google server in the USA and stored there. By using our website you consent to the processing of your data collected by Google Maps.

2. Legal basis for the processing of data

The legal basis for the processing is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

We have no information about the purpose of data processing nor of Google's use of the data.

4. Duration of storage

We have no information about the duration of storage.

5. Means of objection and removal

Find more information at https://policies.google.com/privacy?hl=en.

Use of Instagram Plugin

1. Scope of personal data processing

Our website features integrated plugins of the service Instagram. These are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.
The integrated Instagram buttons are used by us to link to our Instagram profile. A widget is also integrated, which allows us to show certain photos and videos from our Instagram profile on our website.
When you visit one of our pages that contain such a plugin, your browser connects directly to an Instagram server. The contents of the plugins are directly transmitted by this to your browser and are integrated into the website. This automatically transfers data to Instagram and stores it on their servers. This data includes connection information (e.g. your IP address, date and time, URL visited), the browser you are using, and the operating system. Your visit to our website can be tracked by Instagram, even if you do not actively use the plugin features.
If you are logged into your Instagram account, you can link the content of our website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate your visit to our website with your user account. If you want to prevent this instant mapping, you must sign out of Instagram before visiting our website. For more information, please see the Instagram Privacy Policy: https://help.instagram.com/155833707900388

2. Legal basis for the processing of data

The legal basis for the processing of the user's personal data is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

Please refer to Instagram's privacy policy for information on the purpose of the processing of personal data: https://help.instagram.com/155833707900388

4. Duration of storage

We have no information about the duration of storage.

5. Means of objection and removal

Please find more information by visiting the following link: https://help.instagram.com/155833707900388.

Use of VG-Wort session Cookies

1. Scope of personal data processing

Our website uses session Cookies from VG-Wort, Verwertungsgesellschaft WORT Rechtsfähiger Verein kraft Verleihung, Untere Weidenstrasse 5, 81543 Munich, Germany. By using this website, a Cookie is saved onto your computer. The Cookie is used to measure access to texts. This allows recording of the probability of texts being copied. Measurements are made by INFOnline GmbH (www.infonline.de) using the Scaleable Centralised Measuring System. No personal data is processed by the Cookies.

2. Legal basis for the processing of data

The legal basis for processing the user's personal data is Article 6 par. 1 p. 1 lit. c GDPR in conjunction with §§53, 54 I UrhG (German copyright act).

3. Purpose of data processing

VG-Wort session Cookies are used to determine the copy probability of individual texts for remuneration of legal claims from authors and publishers.

4. Duration of storage

We have no information about the duration of storage.

5. Means of objection and removal

If you do not want Cookies to be saved, you can deactivate storage on your browser.

Find more information on VG-WORT session Cookies by visiting: https://www.vgwort.de/datenschutz.html.

Use of Bing-Adwords

1. Scope of personal data processing

Our website uses the Conversion Tracking Tool from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Bing Ads will store a Cookie on your computer if you access our website through a Microsoft Bing ad. We only learn the total number of users who clicked on a Bing ad and were then redirected to the conversion page. No personal information about the identity of the user is passed on.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is Article 6 par. 1 p. 1 lit. f GDPR.

3. Purpose of data processing

This allows Microsoft Bing and us to see that someone clicked on an ad, was redirected to our website, and reached a previously determined landing page (conversion page).

4. Duration of storage

The duration of storage depends on the respective browser settings and cannot be influenced by us. If you do not want information about your behaviour to be used as set out above, you can decline the setting of the Cookie.

5. Means of objection and removal

Find more information by visiting the following link: https://privacy.microsoft.com/en-gb/privacystatement
You can deactivate the use by Microsoft (Blacklist) at the following link: http://choice.microsoft.com/de-DE/opt-out

Use of CleverReach

1. Scope of personal data processing

To send our newsletter, we use the software CleverReach, operated by CleverReach GmbH & Co. KG, Mühlenstraße 43, 26180 Rastede, Germany. In doing so, your data is also saved by CleverReach. For subscription to our newsletter, your data is not given to third parties and CleverReach has no right to pass on your data.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user’s personal data is generally Article 6 par. 1 p. 1 lit. a GDPR. If on a contractual basis, then Article 6 par. 1 p. 1 lit. b GDPR also applies.

3. Purpose of data processing

CleverReach offers evaluation options such as how the newsletter is opened and used by the recipient.

4. Duration of storage

The data is saved and evaluated until the processing of the data is objected to or the recipient unsubscribes from the newsletter.

5. Means of objection and removal

Find more information by visiting the following website: https://www.cleverreach.com/en/privacy-policy/

Use of the Pinterest Plugin

1. Scope of processing

Our website uses the Pinterest plugin from Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103-490, United States. When you visit our website containing the plugin, your browser creates a connection to Pinterest’s server in the USA. Log data about your visit to the website will be forwarded to Pinterest. This can include the following data:

1. your IP address
2. the address of the websites visited that also include Pinterest functions 
3. the type and settings of your browser
4. the date and time of your enquiry
5. the way you use Pinterest.

2. Legal basis for the processing of personal data

The legal basis for the processing of the user’s data is Article 6 par. 1 p. 1 lit. a GDPR.

3. Purpose of data processing

We use Pinterest for the user-friendliness of our website.

4. Duration of storage

We have no information about the duration of storage.

5. Means of objection and removal

Find more information on the purpose and scope of Pinterest’s data collection by visiting: https://policy.pinterest.com/en-gb/privacy-policy

Use of the Twitter Plugin

1. Scope of the processing of personal data

Our website uses "Social Plugins" from twitter.com.
The provider of this service is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
By using Twitter and the "Re-Tweet" feature, the webpages you visit will be linked to your Twitter account and shared with third parties. We do not receive any information about the content of the transmitted data and its use by Twitter. For details about how Twitter treats your data, as well as your rights and information on how to protect your personal data, please refer to the Twitter privacy policy:
http://twitter.com/privacy
If you do not wish for Twitter to assign the data collected via our website directly to your Twitter account, you must log out of Twitter before visiting our website.

2. Legal basis for the processing of personal data

The legal basis for the processing is Article 6 par. 1 p. 1 lit. a GDPR.

3. Purpose of data processing

Information about which data is processed by Twitter and for what purposes it is used can be found in Twitter's privacy policy: https://twitter.com/en/privacy

4. Duration of storage

Please refer to Twitter's data privacy policy for information on the retention period: https://twitter.com/en/privacy

5. Means of objection and removal

Please refer to Twitter's data privacy policy for information on Twitter services:
https://twitter.com/en/privacy

Use of the TourOnline AG DIRS21 booking tool

Our website uses the online booking tool DIRS21 (hereinafter “OBT”) provided by the company TourOnline AG, Borsigstrasse 26, 73249 Wernau, Germany (www.dirs21.de, hereinafter “TOAG”) to enable online booking of accommodation and other travel services, and to process enquiries. As part of the operation of the OBT, TOAG processes data as the controller. The information and provisions on data protection can be found in TOAG’s data protection policy for the OBT, which can be accessed at any time on the OBT or at www.dirs21.de/en/privacy/

Hubermedia eT4® APP

Product concerned:
https://www.hubermedia.de

After opening the app, the following data is collected from the user’s device:

Wireless network / internet connection information
When the app is started, it first tries to determine whether the device has access to the internet or is logged into a wireless network. Using this information, the app can send usage information (e.g. when downloading maps: “Pause download if not connected to a Wi-Fi network”) or offer use of the app in an online or offline mode.

Free up internal memory
The app also checks whether the device has freed up memory for external applications. If possible, the app can store downloaded maps, as well as text and images of POIs on the user’s device.

Access to camera
If the user has allowed access to the camera, the app can provide an augmented reality view, in which POIs can be displayed by the camera in their natural environment.

Access to phone call function
The app checks whether the phone call function can be used. This allows calls to be made directly from the app when the user clicks on a phone number. The app also uses this function to ensure that it doesn’t crash when the user makes a call and the user can continue searching in the app after making a phone call without losing the data.

GPS location
The app requires access to the location of the user’s device. When the app is called up, it determines the current location using GPS in order to be able to provide information on the immediate surroundings. Data about the user’s location is only used to process the request. Location data is transmitted via an encrypted connection. Location data is anonymised after use of the app is finished and is statistically evaluated to improve the service. The location is queried regularly during use (the use of location data can also be seen on mobile devices via the location arrow shown at the top of the screen).

Wishlist
If the user creates a wishlist, it is also saved as a cookie so that the list can be displayed the next time it is used. This information is not stored by the app but only requested in order to be able to offer the service. The user can control the use of this function or access it via the app on their device. Settings can be changed under Settings/Apps/App Name/Permissions.
There the user can
– prevent access to wireless network information,
– prevent access to the camera, internal memory (for maps, pictures and text) and the phone call function, and
– prohibit access to GPS location by switching off the location service.
The wishlist can be deleted by using the “Reset settings” function in the app.

“Report problem” contact form
The data provided by the user is used to process their request to the author responsible for the offer. For this purpose, we pass on the data entered to the responsible author in the form of an e-mail. The data entered will also be stored on our servers in a log file for three months, and then automatically and irrevocably deleted. This data is not passed on to third parties, and the contact form is encrypted using SSL technology to prevent unauthorised access by third parties to the data provided.

Purchasing a voucher over the website

1. Description and scope of data processing

You can purchase vouchers on our website. If you choose to do so, the data entered into the form will be transmitted to us and saved. This data includes: salutation, first name, surname, address, e-mail address, telephone, voucher value, personalisations made to the voucher, shipping options/alternative delivery address, payment method.

If you purchase a voucher on our website, this is done through LiveTable GmbH’s online ordering platform (LiveTable GmbH, Stiftgasse 31, 1070 Vienna, Austria). All order-relevant data you enter will be transmitted in encrypted form. LiveTable is committed to handling your data in accordance with data protection regulations. LiveTable takes all organisational and technical steps to protect your data.

The data will not be passed on to third parties. The data is only used to process orders and for communication purposes.

2. Legal basis for data processing

The legal basis for processing this data is the conclusion of a purchase contract.

3. Purpose of data processing

The processing of the personal data from the form serves solely to process the purchase of the voucher, and to process payment transactions.

4. Duration of storage

Data will be deleted as soon as it is no longer required to fulfill the purpose for which it was collected. In the case of a contractual relationship, we will delete the data as soon as national, commercial, statutory or contractual retention requirements have been met.

5. Objection and removal

The user is entitled to object to the processing of their personal data at any time.

Appendix:

We use the following webshops and reservation systems:

• protel hotelsoftware GmbH, Europaplatz 8, 44269 Dortmund
• LiveTable GmbH Stiftgasse 31, 1070 Vienna
• websLINE internet & marketing GmbH, Sägewerkstrasse 24, 83395 Freilassing
• Seekda GmbH Neubaugasse 10/15 1070 Vienna
• We use WebBeacons and cookies from and have entered into a data processing agreement with them.

You have the right to access, rectification, erasure, restriction, portability, revocation and objection to data processing. If you have any questions, comments or other enquiries regarding this Data Privacy Policy, please contact us at: H2O-Hoteltherme GmbH / Sebersdorf 300 / 8271 Bad Waltersdorf; e-mail: datenschutz(at)hoteltherme.at

Find more information on our legal notice page.

If you believe the processing of your data violates data protection law, or that your data protection rights have otherwise been violated in any way, you can contact the supervisory authority: <Österreichische Datenschutzbehörde; Wickenburggasse 8, 1080 Vienna; Phone: +43 1 521520; E-mail: dsb(at)dsb.gv.at>

We reserve the right to change this data privacy policy at any time and to update it according to new developments. The new version comes into effect as soon as it is made available on our website. We therefore encourage you to check it regularly for updates or changes.

Status: 31/7/2018

Data privacy information for photos and film recordings at public events

Bayerischer Hotel- und Gaststättenverband, DEHOGA Bayern e.V.

The following information is presented in accordance with Article13/14 GDPR:
When you visit one of our events, we collect and process personal data in the form of photos and videos. The General Data Protection Regulation (GDPR) stipulates that we must inform you about the type and scope of processing, and your rights at the time the data is collected. We provide you with this information in accordance with Article 13/14 GDPR as follows:

1. Data controller:

The data controller is the Bayerische Hotel- und Gaststättenverband DEHOGA Bayern e. V., represented by president Angela Inselkammer, Türkenstrasse 7, 80333 Munich; phone: 089 / 28760-0, e-mail: info@dehoga-bayern.de.

Our data protection officer can be reached by mail, telephone or fax under the contact name of the controller. The e-mail address is: datenschutzbeauftragter@dehoga-bayern.de

During the event, please direct any data protection queries to our data protection officer: Rita Mautz, DEHOGA Bayern e. V. - Lower Bavaria District Office, Schwimmschulstrasse 17, 84034 Landshut; phone: 0871 / 640 389 or by e-mail: datenschutzbeauftragter@dehoga-bayern.de

2. Legal basis and purpose of data collection and processing:

Photographs and film footage from this event will be used for reporting and marketing purposes and will subsequently be used and published in various forms of media such as radio, social media, websites, our association’s media, in particular “Gastgeber Bayern”, as well as in press releases, newsletters, brochures, print material, etc. This is allowed by Article 6 paragraph 1 sentence 1 lit. f GDPR because we have a legitimate interest in our public relations work.

Because you are attending a public event, we assume that you have no general reasons against photography and film recording and their processing for the purposes described. Should this not be the case, please immediately contact the data controller named in point 1 at the event.

In addition, we keep an association archive in which we store such material. This is allowed by Article 6 paragraph 1f GDPR because we have a legitimate interest in documenting our association’s activities.

We will obtain your consent to process images regarding which we must assume you have a high personal interest in not being taken and not being published (Article 6 paragraph 1a GDPR).

3. Which personal data do we process?

We process photos and film recordings of your image for the purpose mentioned in point 2.

4. Internal recipients of personal data:

When processing personal data, employees and volunteers of the association are transmitted to the extent that is necessary to fulfill the purpose of the data processing.

5. External recipients of personal data:

Depending on what is required, personal data will also be passed on to third parties for processing. With regard to photos and film recordings, this applies in particular to local and national press. We also publish photos and film recordings on the internet.

6. Duration of storage / deletion:

Personal data will be deleted as soon as it is no longer required for the purpose of processing, unless statutory retention periods determine otherwise.

7. Your rights:

You have the following rights:

• Right to access pursuant to Article 15 GDPR
• Right to rectification pursuant to Article 16 GDPR
• Right to erasure pursuant to Article 17 GDPR
• Right to restriction of processing pursuant to Article 18 GDPR
• Right to data portability pursuant to Article 20 GDPR
• Right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR
• Right to be able to revoke given consent at any time, without affecting the legality of the processing carried out on the basis of the consent up to the point of its revocation

Insofar as the processing of personal data is based on a weighing of interests for the association’s purposes, you can object to processing as outlined in Article 21 GDPR. We would like to point out that you can object to processing in accordance with Article 21 (1) GDPR on grounds relating to your particular situation. This objection must be met in whole or in part if there are valid reasons that prevent processing. Please inform us of these reasons at the time you file your objection. We will then examine the situation and either stop or adjust processing, or inform you of the justified reasons for continuing the processing of your data.